For several months I and a handful of others in the Canadian privacy and security community have been mulling over what Bill C-30, better known as Canada’s ‘lawful access’ legislation, might mean for the future of encryption policy in Canada. Today, I’m happy to announce that one of the fruits of these conversation, a paper that I’ve been working on with Kevin McArthur, is now public. The paper, titled “Understanding the Lawful Access Decryption Requirement,” spends a considerable amount of time considering the potential implications of the legislation. Our analysis considers how C-30 might force companies to adopt key escrows, or decryption key repositories. After identifying some of the problems associated with these repositories, we suggest how to amend the legislation to ensure that corporations will not have to establish key escrows. We conclude by outlining the dangers of leaving the legislative language as it stands today. The full abstract, and download link, follows.
Canada’s lawful access legislation, Bill C-30, includes a section that imposes decryption requirements on telecommunications service providers. In this paper we analyze these requirements to conclude that they may force service providers to establish key escrow, or decryption key retention, programs. We demonstrate the significance of these requirements by analyzing the implications that such programs could have for online service providers, companies that provide client software to access cloud services, and the subscribers of such online services. The paper concludes by suggesting an amendment to the bill, to ensure that corporations will not have to establish escrows, and by speaking to the dangers of not implementing such an amendment.
Download paper at the Social Sciences Research Network
For roughly the past two years I’ve been working with colleagues to learn how Automatic Number Plate Recognition (ANPR) systems are used in British Columbia, Canada’s westernmost province. As a result of this research one colleague, Rob Wipond, has published two articles on how local authorities and the RCMP are using ANPR technologies. Last February I disclosed some of our findings at the Reboot privacy and security conference, highlighting potential uses of the technology and many of the access to information challenges that we had experienced with respect to our research. Another, Kevin McArthur has written several pieces about ANPR on his website over the years and is largely responsible for Rob and I getting interested, and involved, in researching the technology and the practices associated with it.
The most recent piece of work to come out of our research is a paper that I, Joseph Savirimuthu, Rob, and Kevin have written. Joseph and I will be presenting it in Florence later this month. The paper, titled “ANPR: Code and Rhetorics of Compliance,” examines BC and UK deployments of ANPR systems to explore the rationales and obfuscations linked to the programs. The paper is presently in a late draft so if you have any comments or feedback then please send it my way. The abstract is below, and you can download the paper from the Social Sciences Research Network.
Automatic Number Plate Recognition (ANPR) systems are gradually entering service in Canada’s western province of British Columbia and are prolifically deployed in the UK. In this paper, we compare and analyze some of the politics and practices underscoring the technology in these jurisdictions. Drawing from existing and emerging research we identify key actors and how authorities marginalize access to the systems’ operation. Such marginalization is accompanied by rhetorics of privacy and security that are used to justify novel mass surveillance practices. Authorities justify the public’s lack of access to ANPR practices and technical characteristics as a key to securing environments and making citizens ‘safe’. After analyzing incongruences between authorities’ conceptions of privacy and security, we articulate means of resisting intrusive surveillance practices by reshaping agendas surrounding ANPR.
Download paper from the Social Sciences Research Network
UPDATE: The paper is now published in the European Journal of Law and Technology